IIS Insider - February 2004

Parser Error Message with ASP.net Installed

Q: We recently installed ASP.net on your IIS 5 server and are receiving the following message:

Parser Error Message: It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level.
This error can be caused by a virtual directory not being configured as
an application in IIS.
Line 1: <configuration>
Line 2: <system.web>
Line 3: <authentication mode="Forms">
Line 4: <forms loginUrl="LoginPage.aspx">
Line 5: <credentials passwordFormat="Clear">

I was told by someone that I did not configure my application folder as Virtual directory in IIS. However, doing so did not solve the problem. What can we do to correct this issue?

A: With ASP.net, you can place a web.config file in a folder that is part of your web server's content (web root, directory, or virtual directory), and ASP.net will use it to configure various components and characteristics of your application. This is also true for the global.asa file for Asp applications. However, to do so, the folder must be marked as an "application" in the IIS snap-in. In this context, the term application has a different meaning than the way we normally use it. For our purposes, we are referring to designating an application starting point. In other words, you can designate a folder on a web site where Application A begins, such as a shopping cart application, and another folder where Application B begins, such as an application that presents on-line surveys - they will have a different set of application variables for Asp (or ASP.net). You can place a different global.asa or web.config file in each defined application staring point.

Contrary to the advice you received, it is not required that the location be a virtual directory. It can be a normal folder or even the web site root.

The screen shot below (Figure 1) displays the properties of a virtual directory. Note the "Configuration" button and empty text box for "Application." When you click the Configuration button, you inform IIS that the location for the directory, virtual directory, or web root is an Application starting point. The name for the application is optional, but can be useful for troubleshooting - so you should assign a name. Enabling the folder you're working with as an Application will result in ASP.net reading the web.config file you've place in the folder and the error will disappear.

If your browser does not support inline frames, click here to view on a separate page.

Figure 1 Properties of a Virtual Directory

Web Service Extensions Feature in IIS 6.0

Q: We are migrating to IIS 6 from IIS 5. With IIS 6's Web Service Extensions feature, we need to know all the executables content that's running on our IIS 5 server. This server host has a few hundred sites and hosts many applications for our intranet. How can we identify all the content we need to enable in the Web Service Extensions node so these programs will run on IIS 6?

A: I have just the the tip you need, but first a little background for readers who aren't familiar with IIS 6.0's Web Service Extensions feature. In previous versions of IIS, if you place an executable (.dll or .exe) on the server, enable the web site for executables in the IIS console, and assign NTFS permissions that allow Execute for the user, IIS would run the program when it received a request for the file. In IIS 6.0 this same request will fail unless the file is explicitly listed by full path and name in the Web Service Extension node of the IIS console. When an executable is requested and it is not listed with Web Service Extensions, the user receives a File Not Found message. In this way, even if a hacker places a backdoor or listener on IIS 6, they cannot execute it unless it can be listed in Web Service Extensions which requires Administrative privileges. Shown below (Figure 2) is a sample of the Web Service Extensions screen with ASP enabled.

If your browser does not support inline frames, click here to view on a separate page.

Figure 2 Web Service Extensions screen with ASP enabled

Of course, security has a price and in this case, programs that ran fine on previous versions of IIS now have to be listed individually in the Web Service Extensions node of the IIS console before they will run. You do not need to list each ASP page, just permit asp.dll to run. With binary files (.dll or .exe), any file you invoke from a URL needs to be listed. If this sounds like too much trouble, you can simply enable the Allow All settings which exist for ISAPI and CGI as shown in the screenshot.

When migrating from prior versions of IIS to IIS 6 you will likely want to use the Web Service Extensions as it provides a strong, additional layer of security. The question is, how to identify which executables (and scripts engines) you need to enable on IIS 6.

You may recall I've mentioned the Log Parser Tool in these columns before, and with good reason. This utility has an extraordinary amount of usefulness and is easy to use with just a little study. In this case, the Log Parser Tool comes to the rescue quite nicely. You can run the following query with the Tool to produce a list of all filenames that appear in your IIS logs.

Equipped with this information, you can locate the paths to executable content and script engines you require and enter those values in the Web Service Extensions.

Recycling ASP.net Periodically

Q: We have installed ASP.net on our IIS 5 server to deliver a .NET application over the web. The application is working fine except that periodically the aspnet_wp.exe process consumes too much memory and is recycled by ASP.net. While the recycling is fine, we'd like to recycle ASP.net periodically rather than waiting till it gets into a low memory state. With IIS 5, we used to do this with the IIS 5 Process Recycle tool. How can we cause ASP.net to recycle on a schedule like we can with the IIS 5 Process Recycle tool.

A: The IIS 5 Process Recycle tool is a useful utility that allows you to configure IIS 5 to restart based on the number of http gets, time of day, memory consumption and other parameters. The tool was created before ASP.net was released and so it does not have any awareness of aspnet_wp.exe which runs ASP.net applications on an IIS 5 server. Nevertheless, when you recycle IIS with the Process Recycle Tool, IISRESET, or any other method, it will restart ASP.net as well; however, you can recycle ASP.net independently of the server using configuration elements built into ASP.net.

This is accomplished with the process configuration settings located in the web.config file for ASP.net. By default, web.config is located in the %systemroot%\Microsoft.Net\Framework\v<version number>\CONFIG directory. It is an XML file that you can open and edit with a text editor such as Notepad. Open the file and search for the word, "processmodel." This will take you to the process model configuration which contains the following commented section:

<!--
processModel Attributes: enable="[true|false]" - Enable process
Model
timeout="[Infinite | HH:MM:SS]" - Total life of process, once
expired process is shutdown and a new process is created
idleTimeout="[Infinite | HH:MM:SS]" - Total idle life of process,
once expired process is automatically shutdown
shutdownTimeout="[Infinite | HH:MM:SS]" - Time process is given to
shutdown gracefully before being killed
requestLimit="[Infinite | number]" - Total number of requests to
serve before process is shutdown
requestQueueLimit="[Infinite | number]" - Number of queued requests
allowed before process is shutdown
restartQueueLimit="[Infinite | number]" - Number of requests kept
in queue while process is restarting
memoryLimit="[number]" - Represents percentage of physical memory
process is allowed to use before process is recycled
webGarden="[true|false]" - Determines whether a process should be
affinitized with a particular CPU
cpuMask="[bit mask]" - Controls number of available CPUs
available for ASP.NET processes (webGarden must be set to true)
userName="[user]" - Windows user to run the process as.
Special users: "SYSTEM": run as localsystem (high privilege admin)
account.v "machine": run as low privilege user account named
"ASPNET".
Other users: If domain is not specified, current machine name is
assumed to be the domain name.
password="[AutoGenerate | password]" - Password of windows user.
For special users (SYSTEM and machine), specify "AutoGenerate".
logLevel="[All|None|Errors]" - Event types logged to the event log
clientConnectedCheck="[HH:MM:SS]" - Time a request is left in the
queue before ASP.NET does a client connected check
comAuthenticationLevel="[Default|None|Connect|Call|Pkt|PktIntegrity|
PktPrivacy]" - Level of authentication for DCOM security
comImpersonationLevel="[Default|Anonymous|Identify|Impersonate|
Delegate]" - Authentication level for COM security
responseDeadlockInterval="[Infinite | HH:MM:SS]" - For deadlock
detection, timeout for responses when there are executing
requests.
responseRestartDeadlockInterval="[Infinite | HH:MM:SS]" - Time to
wait between restarting WPs due to responseDeadlockInterval
maxWorkerThreads="[number]" - Maximum number of worker threads per
CPU in the thread pool
maxIoThreads="[number]" - Maximum number of IO threads per CPU in
the thread pool
serverErrorMessageFile="[filename]" - Customization for
"Server Unavailable" message
When ASP.NET is running under IIS 6 in native mode, the IIS 6
process model is used and settings in this section are ignored.
Please use the IIS administrative UI to configure things like
process identity and cycling for the IIS worker process for the
desired application.
-->

Note that "timeout" variable above allows you to set a value in hours, minutes, and seconds - indicating the life of the aspnet_wp.exe process. When the ASP.net launches aspnet_wp.exe (which happens the first time a page is called that requires ASP.net) the timer starts. The asnet_wp.exe process is recycled when it has been "alive" for the timeout period.

Even though it's not the same thing as setting a date and time for recycling the ASP.net worker process, this will achieve periodic recycling and can serve to keep your application healthy. Also note that you can control other aspects of recycling behavior here, including shutting down the worker process when it is not in active use (thereby achieving recycling that occurs during off peak times).

Submit your questions to the IIS Insider. Selected questions along with the answers will be posted in a future IIS Insider column.

For a list of previous months' questions and answers on IIS Insider columns, click here.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as is," without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.